Stanislaw Jarecki
ABSTRACT
Recently, Luo, et al. in a series of papers [17, 14, 13, 18, 15] proposed a set of protocols for providing ubiquitous and robust access control [URSA] in mobile ad hoc networks without relying on a centralized authority. The URSA protocol relies on the new proactive RSA signature scheme, which allows members in an ad hoc group to make access control decisions in a distributed manner. The proposed proactive RSA signature scheme is assumed secure as long as no more than an allowed threshold of participating members is simultaneously corrupted at any point in the lifetime of the scheme.
In this paper we show an attack on this proposed proactive RSA scheme, in which an admissible threshold of malicious group members can completely recover the group RSA secret key in the course of the lifetime of this scheme. Our attack stems from the fact that the threshold signature protocol which is a part of this proactive RSA scheme leaks some seemingly innocuous information about the secret signature key. We show how the corrupted members can in uence the execution of the scheme in such a way so that the slowly leaked information is used to reconstruct the entire shared secret.
- J. Blomer and A. May. New Partial Key Exposure Attacks on RSA. In D. Boneh, editor, CRYPTO '03, number 2729 in LNCS, pages 27--43. IACR, 2003.]]Google Scholar
- A. Boldyreva. Efficient threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In Proceedings of International Workshop on Practice and Theory in Public Key Cryptography, volume 2567 of LNCS, pages 31--46, 2003.]] Google ScholarDigital Library
- D. Boneh, G. Durfee, and Y. Frankel. An attack on RSA given a small fraction of the private key bits. In ASIACRYPT'98, number 1514 in LNCS, pages 25--34, 1998.]] Google ScholarDigital Library
- D. Boneh, B. Lynn, and H. Shacham. Short Signatures from the Weil Pairing. In C. Boyd, editor, ASIACRYPT'01, number 2248 in LNCS, pages 514--532. IACR, 2001.]] Google ScholarDigital Library
- J. Camenisch and M. Michels. Separability and efficiency for generic group signature schemes. In In Advances in Cryptology - CRYPTO '99, volume 1666 of LNCS, pages 106--121, 1999.]] Google ScholarDigital Library
- Y. Desmedt and Y. Frankel. Threshold cryptosystems. In G. Brassard, editor, CRYPTO '89, number 435 in LNCS, pages 307--315. IACR, 1990.]] Google ScholarDigital Library
- Y. Frankel, P. Gemmell, P. D. MacKenzie, and M. Yung. Optimal-Resilience Proactive Public-Key Cryptosystems. In Foundations of Computer Science FOCS'97, pages 384--393, 1997.]] Google ScholarDigital Library
- Y. Frankel, P. Gemmell, P. D. MacKenzie, and M. Yung. Proactive RSA. In Proc. of Crypto'97, pages 440--454, 1997.]] Google ScholarDigital Library
- R. Gennaro, S.Jarecki, H.Krawczyk, and T.Rabin. Robust Threshold DSS Signature. In M. Abadi, editor, Information and Computation, vol. 164 (1), pages 54--84. 2001.]] Google ScholarDigital Library
- A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive public key and signature systems. In ACM Conference on Computers and Communication Security, 1997.]] Google ScholarDigital Library
- A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive Secret Sharing, Or How To Cope With Perpetual Leakage. In D. Coppersmith, editor, CRYPTO '95, number 963 in LNCS, pages 339--352. IACR, 1995.]] Google ScholarDigital Library
- S. Jarecki and N. Saxena. Further Simplifications in Proactive RSA Signature Schemes. In submission. Draft available from the authors and on http: eprint.iacr.org. August 2004.]]Google Scholar
- J. Kong, H. Luo, K. Xu, D. L. Gu, M. Gerla, and S. Lu. Adaptive Security for Multi-level Ad-hoc Networks. In Journal of Wireless Communications and Mobile Computing (WCMC), volume 2, pages 533--547, 2002.]]Google Scholar
- J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang. Providing Robust and Ubiquitous Security Support for MANET. In IEEE 9th International Conference on Network Protocols (ICNP), 2001.]] Google ScholarDigital Library
- H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang. URSA: Ubiquitous and Robust Access Control for Mobile Ad Hoc Networks, available on-line at http://www.cs.ucla.edu/wing/publication/publication.html. In IEEE/ACM Transactions on Networking (ToN), to appear, Oct 2004.]] Google ScholarDigital Library
- Songwu Lu. Comments on Recent Advances in Cryptoanalysis of URSA. A draft communicated to the authors by email by Songwu Lu, on August 16th, 2004.]]Google Scholar
- H. Luo and S. Lu. Ubiquitous and Robust Authentication Services for Ad Hoc Wireless Networks. Technical Report TR-200030, Dept. of Computer Science, UCLA, 2000.]]Google Scholar
- H. Luo, P. Zerfos, J. Kong, S. Lu, and L. Zhang. Self-securing Ad Hoc Wireless Networks. In Seventh IEEE Symposium on Computers and Communications (ISCC '02), 2002.]] Google ScholarDigital Library
- M. Narasimha, G. Tsudik, and J. H. Yi. On the Utility of Distributed Cryptography in P2P and MANETs: The Case of Membership Control. In IEEE 11th International Conference on Network Protocol (ICNP), pages 336--345, November 2003.]] Google ScholarDigital Library
- R. Ostrovsky and M. Yung. How to withstand mobile virus attacks. In 10th ACM Symp. on the Princ. of Distr. Comp., pages 51--61, 1991.]] Google ScholarDigital Library
- T. Rabin. A Simplified Approach to Threshold and Proactive RSA. In H. Krawczyk, editor, CRYPTO '98, number 1462 in LNCS, pages 89--104. IACR, 1998.]] Google ScholarDigital Library
- N. Saxena, G. Tsudik, and J. H. Yi. Admission Control in Peer-to-Peer: Design and Performance Evaluation. In ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pages 104--114, October 2003.]] Google ScholarDigital Library
- N. Saxena, G. Tsudik, and J. H. Yi. Identity-based Access Control for Ad Hoc Groups. In Submission, September 2004.]]Google Scholar
- A. Shamir. How to Share a Secret. Commun. ACM, 22(11):612--613, Nov. 1979.]] Google ScholarDigital Library
- L. Zhou and Z. J. Haas. Securing Ad Hoc Networks. IEEE Network Magazine, 13(6):24--30, 1999.]] Google ScholarDigital Library
Index Terms
- An attack on the proactive RSA signature scheme in the URSA ad hoc network access control protocol
Recommendations
On the insecurity of proactive RSA in the URSA mobile ad hoc network access control protocol
Access control is the fundamental security service in ad hoc groups. It is needed not only to prevent unauthorized entities from joining the group, but also to bootstrap other security services. Luo, et al. proposed a set of protocols for providing ...
Proxy-protected signature secure against the undelegated proxy signature attack
The proxy signature scheme enables an original signer to delegate his/her signing capability to a designated proxy signer, thereby the proxy signer can sign messages on behalf of the original signer. Recently, Zhou et al. proposed two proxy-protected ...
New Identity-Based Sequential Aggregate Signature Scheme from RSA
ISBAST '13: Proceedings of the 2013 International Symposium on Biometrics and Security TechnologiesAn identity-based sequential aggregate signature (IBSAS) scheme provides a shorter aggregate signature for multiple signers in which each signer has signed his/her own message and all generated signatures are aggregated in sequence. During aggregate ...
Comments